Voucher Vault
Redzone Rewards — an internal employee rewards portal — exposes a voucher search that concatenates user input straight into a SELECT. Find the hidden administrative voucher.
The Scenario
One of the Redzone security interns was auditing the new Rewards portal during launch week and flagged something off in the voucher-search logic. Before they could open a ticket they got pulled into a different project. Finish what they started: pull the hidden admin voucher.
Challenge Intel
Synopsis
A medium SQL injection lab against an employee rewards portal with a permissive search feature.
What It Is
Redzone Rewards is an internal portal where a voucher search query was stitched together from raw user input during a rushed launch week. The flaw is the kind of thing a reviewer spots in five minutes, but that review never happened. A straightforward, satisfying classical SQLi exercise in a believable corporate setting.
Who It's For
Testers ready to move past the very easiest SQLi and tackle a clean mid-tier example.
Skills You'll Practice
- Classical in-band SQL injection
- Search-feature enumeration techniques
- Column and table discovery
- Data exfiltration through reflected results
- Recognising common string-concatenation flaws
What You'll Gain
- A clean, confidence-building mid-tier SQLi solve
- Reinforcement of union-based extraction fundamentals
- Sharper pattern recognition for launch-week code smells
- A reliable reference lab to revisit when drilling basics